From patchwork Sun Feb 18 15:40:24 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Cheng Li X-Patchwork-Id: 1900660 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=140.211.166.136; helo=smtp3.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=patchwork.ozlabs.org) Received: from smtp3.osuosl.org (smtp3.osuosl.org [140.211.166.136]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4Td97J4kNfz20Qg for ; Mon, 19 Feb 2024 02:48:28 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id BD78D60A4E; Sun, 18 Feb 2024 15:48:25 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t5n42ZzTE_JY; Sun, 18 Feb 2024 15:48:24 +0000 (UTC) X-Comment: SPF check N/A for local connections - client-ip=140.211.9.56; helo=lists.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver= DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org CE256605CC Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by smtp3.osuosl.org (Postfix) with ESMTPS id CE256605CC; Sun, 18 Feb 2024 15:48:24 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id C108CC0077; Sun, 18 Feb 2024 15:48:24 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp3.osuosl.org (smtp3.osuosl.org [IPv6:2605:bc80:3010::136]) by lists.linuxfoundation.org (Postfix) with ESMTP id 84C3FC0037 for ; Sun, 18 Feb 2024 15:48:23 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id 6753E60A4E for ; Sun, 18 Feb 2024 15:48:23 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 85G_lYAojkuT for ; Sun, 18 Feb 2024 15:48:22 +0000 (UTC) X-Greylist: delayed 441 seconds by postgrey-1.37 at util1.osuosl.org; Sun, 18 Feb 2024 15:48:21 UTC DMARC-Filter: OpenDMARC Filter v1.4.2 smtp3.osuosl.org 3F93F605CC Authentication-Results: smtp3.osuosl.org; dmarc=none (p=none dis=none) header.from=chinatelecom.cn DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 3F93F605CC Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=182.42.117.141; helo=chinatelecom.cn; envelope-from=lic121@chinatelecom.cn; receiver= Received: from chinatelecom.cn (smtpnm6-11.21cn.com [182.42.117.141]) by smtp3.osuosl.org (Postfix) with ESMTP id 3F93F605CC for ; Sun, 18 Feb 2024 15:48:21 +0000 (UTC) HMM_SOURCE_IP: 192.168.138.117:3861.422547476 HMM_ATTACHE_NUM: 0000 HMM_SOURCE_TYPE: SMTP Received: from clientip-118.114.61.24 (unknown [192.168.138.117]) by chinatelecom.cn (HERMES) with SMTP id CC69FE01357B; Sun, 18 Feb 2024 23:40:44 +0800 (CST) X-189-SAVE-TO-SEND: +lic121@chinatelecom.cn Received: from ([118.114.61.24]) by gateway-ssl-dep-77bc75f6c8-sfvft with ESMTP id 1ecd6043920d401897b8f9e528ebb4da for dev@openvswitch.org; Sun, 18 Feb 2024 23:40:45 CST X-Transaction-ID: 1ecd6043920d401897b8f9e528ebb4da X-Real-From: lic121@chinatelecom.cn X-Receive-IP: 118.114.61.24 X-MEDUSA-Status: 0 From: Cheng Li To: dev@openvswitch.org Date: Sun, 18 Feb 2024 15:40:24 +0000 Message-Id: <20240218154024.373642-1-lic121@chinatelecom.cn> X-Mailer: git-send-email 2.39.3 MIME-Version: 1.0 Subject: [ovs-dev] [PATCH] upcall: Check flow consistant in upcall. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" Ovs ko passes odp key and packet to userspace. Next packet is extracted into flow, which is the input for xlate to generate wc. At last, ukey(= odp_key/wc) is installed into datapath. If the odp_key is not consistant with packet extracted flow. The ukey will be wrong. commit [1] was created to fix inconsistance caused by bad tcp header. commit [2] was cretaed to fix inconsistance caused by bad ip header. There is no guarantee of the consistance of odp_key and packet flow. So it is necessary to make the check to prevent from installing wrong ukey. [1] 1f5749c790accd98dbcafdaefc40bf5e52d7c672 [2] 79349cbab0b2a755140eedb91833ad2760520a83 Signed-off-by: Cheng Li --- ofproto/ofproto-dpif-upcall.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/ofproto/ofproto-dpif-upcall.c b/ofproto/ofproto-dpif-upcall.c index b5cbeed87..6e46e5a5a 100644 --- a/ofproto/ofproto-dpif-upcall.c +++ b/ofproto/ofproto-dpif-upcall.c @@ -66,6 +66,7 @@ COVERAGE_DEFINE(upcall_flow_limit_reduced); COVERAGE_DEFINE(upcall_flow_limit_scaled); COVERAGE_DEFINE(upcall_ukey_contention); COVERAGE_DEFINE(upcall_ukey_replace); +COVERAGE_DEFINE(upcall_packet_flow_inconsistant); /* A thread that reads upcalls from dpif, forwards each upcall's packet, * and possibly sets up a kernel flow as a cache. */ @@ -840,6 +841,8 @@ recv_upcalls(struct handler *handler) struct dpif_upcall dupcalls[UPCALL_MAX_BATCH]; struct upcall upcalls[UPCALL_MAX_BATCH]; struct flow flows[UPCALL_MAX_BATCH]; + struct flow odp_flow; + struct flow_wildcards flow_wc; size_t n_upcalls, i; n_upcalls = 0; @@ -903,8 +906,17 @@ recv_upcalls(struct handler *handler) upcall->out_tun_key = dupcall->out_tun_key; upcall->actions = dupcall->actions; + /* Save odp flow before overwrite. */ + memcpy(&odp_flow, flow, sizeof flow); pkt_metadata_from_flow(&dupcall->packet.md, flow); flow_extract(&dupcall->packet, flow); + flow_wildcards_init_for_packet(&flow_wc, &flow); + if (!flow_equal_except(&odp_flow, flow, &flow_wc)) { + /* If odp flow is not consistant with flow extract from packet, + * bad ukey/mask will be installed. */ + COVERAGE_INC(upcall_packet_flow_inconsistant); + goto cleanup; + } error = process_upcall(udpif, upcall, &upcall->odp_actions, &upcall->wc);